Some selected club members can now make people subscribe and fix major security hole in board_member verification

2025-07-10 11:59:23 +00:00 · 2017-07-22 00:40:51 +02:00
parent e80f5b6f0f
commit c56094eaaf
5 changed files with 26 additions and 7 deletions
--- a/club/models.py
+++ b/club/models.py
@ -139,10 +139,7 @@ class Club(models.Model):
        """
        Method to see if that object can be edited by the given user
        """
-        ms = self.get_membership_for(user)
-        if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
-            return True
-        return False
+        return self.has_rights_in_club(user)

    def can_be_viewed_by(self, user):
        """
@ -170,6 +167,10 @@ class Club(models.Model):
                Club._memberships[self.id][user.id] = m
            return m

+    def has_rights_in_club(self, user):
+        m = self.get_membership_for(user)
+        return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
+

 class Membership(models.Model):
    """